Governance Meeting, June 26, 2023

Community
,
1

2023-06-26T17:00:00Z

Jun 26, 2023

Participants: Mark Waite, Alexander Brandes, Ullrich Hafner, Basil Crow, Bruno Verachten, Oleg Nenashev

Agenda:

  • News
    • Jenkins 2.401.2 releases Wednesday June 28, 2023
    • CDF Technical Oversight Committee election is in progress
      • Mark Waite nominated from the Jenkins project
      • 4 seats on the committee, 6 candidates
      • Please cast your ballot (email invitations sent to those eligible to vote (from opavote.com))
      • Deadline for voting is today
  • Action Items
    • EasyCLA to be documented by Oleg
    • Mark Waite submit jenkins.io pull request to combine subprojects and SIGs into a single concept - “working groups”
      • Roadmap update pull requests
      • More pull requests needed
    • Retire the Chinese Jenkins site
    • Mark Waite archive the governance meeting notes to a GitHub repository, use the Google doc as the working document, then publish final notes
      • Gavin has prepared the archive, need a destination repository
      • See the infra help desk ticket tracking the discussion
      • Will use jenkins-infra as the location
        • Accept that we’ll place them in jenkins-infra as recommended in the help desk ticket
    • Mark Waite retrospective on signing certificate renewal process and its improvements
      • Not yet collected the details of the retrospective, still to be done
      • Code signing certificate for MSI and WAR files
      • PGP signing key for RPM and DEB files
        • Debian key packaging improvements (some other projects use that technique now)
      • Notification and process improvements
        • Reimbursement improvements
  • Upgrade from Jira 8 to Jira 9 - Mark Waite
    • IT-25544 submitted to the Linux Foundation - end of life in October
    • Step 1 planned for July 6, 2023, up to 2 hour outage for database upgrade
      • Pacific time - afternoon (2:00 PM Pacific)
      • Database upgrade in step 1
  • GitHub sponsors as a fund raising source for the Jenkins project - Mark Waite
    • Newstack article on a new GitHub program for larger scale funding of open source
    • Oleg notes that it is not easy to have GitHub sponsors deposit funds into LFX Crowdfunding
      • Would need GitHub Sponsors to transfer to a Stripe account, then to LFX account
      • LF Charities is a non-profit
    • GitHub supports concept of fiscal hosts and CNCF and Linux Foundation use OpenCollective that might be possible to use
      • GitHub transfers to OpenCollective account of Linux Foundation as fiscal host
    • No observed demand that we should enable GitHub Sponsors
      • No further plans for now, can reconsider in the future
  • Budget and expenses - Mark Waite
  • LFX Tooling - Alex Brandes
    • Jenkins project piloted into LFX Security, Alex was exploring it a few weeks ago
      • Why not onboarded the main Jenkins project into LFX Security
      • Pilot project was paused while we waited for the Linux foundation
        • LFX Security could not handle exceptions and false positive handling
          • Snyk allowed it, but subset allowed for LFX Security did not allow it
        • Talked to LFX Security team and finally suspended effort
      • Still no global configuration
        • It would have high rate of false positives with no easy way to exclude
        • Java packaging of Jenkins plugins needs special handling that is not available
      • Could enable it for Jenkins core but not workable for Jenkins plugins
        • Dependencies on other plugins are assumed to be a bundled dependency
          • False positive when plugin A declares a dependency on older version of plugin B
        • Can be done with Snyk and some custom work, but not with LFX Security
    • LFX tooling working group inside the CDF that has started their meetings
      • Tracy Ragan leading, Mark has attended past meetings, invite Alex Brandes to the meetings
      • Expanded scope of LFX Security might be worth more investigation
  • Community activity